Skip to content

Commit 385bce0

Browse files
Squashed commit of the following:
commit 02c7d25 Author: Kugamoorthy Gajananan <[email protected]> Date: Thu Jan 21 15:39:59 2021 +0900 Added make target and script to update version in nessary files after building bundle based on new version (IBM#261) commit 6546dc1 Author: hirokuni-kitahara <[email protected]> Date: Thu Jan 21 15:37:29 2021 +0900 fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (IBM#262) * update role & cert duration and fix e2e test issue * add event type annotation and fix e2e test commit 121e937 Author: hirokuni-kitahara <[email protected]> Date: Wed Jan 20 22:29:17 2021 +0900 fix patch functions and add troubleshooting doc (IBM#259) * fix patch functions and add troubleshooting doc * fix scripts and some parts in doc commit 0ef8683 Author: Yuji Watanabe <[email protected]> Date: Wed Jan 20 22:18:16 2021 +0900 change from K8s to k8s (IBM#260) * change from K8s to k8s * fix tested cluster version
1 parent 020e973 commit 385bce0

File tree

11 files changed

+69
-62
lines changed

11 files changed

+69
-62
lines changed

Makefile

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -298,6 +298,7 @@ delete-test-env:
298298
@echo
299299
@echo deleting test namespace
300300
kubectl delete ns $(TEST_NS)
301+
kubectl delete ns $(TEST_NS_NEW)
301302
kubectl delete ns $(TEST_UNPROTECTED_NS)
302303

303304
setup-test-resources:
@@ -392,6 +393,7 @@ setup-tmp-cr:
392393
yq write -i $(TMP_CR_FILE) spec.keyConfig[1].secretName $(TEST_SECRET2)
393394
@echo setup signer config
394395
yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[0] $(TEST_NS)
396+
yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].namespaces[1] $(TEST_NS_NEW)
395397
yq write -i $(TMP_CR_FILE) spec.signerConfig.policies[2].signers[0] $(TEST_SIGNERS)
396398
yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].name $(TEST_SIGNERS)
397399
yq write -i $(TMP_CR_FILE) spec.signerConfig.signers[1].keyConfig $(TEST_KEYCONFIG)
@@ -524,3 +526,9 @@ create-private-registry:
524526

525527
delete-private-registry:
526528
$(ISHIELD_REPO_ROOT)/build/delete-private-registry.sh
529+
530+
.PHONY: update-version
531+
532+
# use this command to update VERSION after doing 'make build-bundle'
533+
update-version:
534+
$(ISHIELD_REPO_ROOT)/build/update-version.sh

build/update-version.sh

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#!/bin/bash
2+
#
3+
# Copyright 2020 IBM Corporation.
4+
#
5+
# Licensed under the Apache License, Version 2.0 (the "License");
6+
# you may not use this file except in compliance with the License.
7+
# You may obtain a copy of the License at
8+
#
9+
# http://www.apache.org/licenses/LICENSE-2.0
10+
#
11+
# Unless required by applicable law or agreed to in writing, software
12+
# distributed under the License is distributed on an "AS IS" BASIS,
13+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14+
# See the License for the specific language governing permissions and
15+
# limitations under the License.
16+
17+
set -e
18+
19+
sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/docs/ACM/README_DISABLE_ISHIELD_PROTECTION_ACM_ENV.md
20+
sed -i "s|$PREV_VERSION|$VERSION|" ${ISHIELD_REPO_ROOT}/scripts/install_shield.sh
21+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}Makefile
22+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/deploymentForIShield.yaml
23+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCRForTest.yaml
24+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/testdata/integrityShieldCR.yaml
25+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_OP_DIR}resources/default-ishield-cr.yaml
26+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}version/version.go
27+
sed -i "s|$PREV_VERSION|$VERSION|" ${SHIELD_DIR}pkg/util/mapnode/node_test.go

integrity-shield-operator/cert/cert.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
4545
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
4646
BasicConstraintsValid: true,
4747
NotBefore: time.Now(),
48-
NotAfter: time.Now().AddDate(10, 0, 0),
48+
NotAfter: time.Now().AddDate(2, 0, 0),
4949
}
5050

5151
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caKey.PublicKey, caKey)
@@ -92,7 +92,7 @@ func GenerateCert(svcName, NS string) ([]byte, []byte, []byte, error) {
9292
CommonName: cn,
9393
},
9494
NotBefore: time.Now(),
95-
NotAfter: time.Now().AddDate(10, 0, 0),
95+
NotAfter: time.Now().AddDate(2, 0, 0),
9696
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
9797
KeyUsage: x509.KeyUsageDigitalSignature,
9898
DNSNames: []string{cn},

integrity-shield-operator/config/rbac/role.yaml

Lines changed: 0 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -39,10 +39,7 @@ rules:
3939
- apiGroups:
4040
- apps
4141
resources:
42-
- daemonsets
4342
- deployments
44-
- replicasets
45-
- statefulsets
4643
verbs:
4744
- create
4845
- delete
@@ -51,33 +48,14 @@ rules:
5148
- patch
5249
- update
5350
- watch
54-
- apiGroups:
55-
- apps
56-
resources:
57-
- deployments
58-
- replicasets
59-
verbs:
60-
- get
61-
- apiGroups:
62-
- apps
63-
resourceNames:
64-
- integrity-shield-operator
65-
resources:
66-
- deployments/finalizers
67-
verbs:
68-
- update
6951
- apiGroups:
7052
- ""
7153
resources:
7254
- configmaps
73-
- endpoints
7455
- events
75-
- persistentvolumeclaims
76-
- pods
7756
- secrets
7857
- serviceaccounts
7958
- services
80-
- services/finalizers
8159
verbs:
8260
- create
8361
- delete
@@ -86,29 +64,6 @@ rules:
8664
- patch
8765
- update
8866
- watch
89-
- apiGroups:
90-
- ""
91-
resources:
92-
- namespaces
93-
verbs:
94-
- get
95-
- list
96-
- patch
97-
- update
98-
- watch
99-
- apiGroups:
100-
- ""
101-
resources:
102-
- pods
103-
verbs:
104-
- get
105-
- apiGroups:
106-
- monitoring.coreos.com
107-
resources:
108-
- servicemonitors
109-
verbs:
110-
- create
111-
- get
11267
- apiGroups:
11368
- policy
11469
resources:

integrity-shield-operator/controllers/integrityshield.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
apiv1alpha1 "github.com/IBM/integrity-enforcer/integrity-shield-operator/api/v1alpha1"
2828
res "github.com/IBM/integrity-enforcer/integrity-shield-operator/resources"
2929
rsp "github.com/IBM/integrity-enforcer/shield/pkg/apis/resourcesigningprofile/v1alpha1"
30+
common "github.com/IBM/integrity-enforcer/shield/pkg/common"
3031
admv1 "k8s.io/api/admissionregistration/v1beta1"
3132
appsv1 "k8s.io/api/apps/v1"
3233
corev1 "k8s.io/api/core/v1"
@@ -1022,6 +1023,9 @@ func (r *IntegrityShieldReconciler) createOrUpdateWebhookEvent(instance *apiv1al
10221023
ObjectMeta: metav1.ObjectMeta{
10231024
Name: evtName,
10241025
Namespace: evtNamespace,
1026+
Annotations: map[string]string{
1027+
common.EventTypeAnnotationKey: common.EventTypeValueReconcileReport,
1028+
},
10251029
},
10261030
InvolvedObject: involvedObject,
10271031
Type: evtSourceName,

integrity-shield-operator/controllers/integrityshield_controller.go

Lines changed: 2 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -41,13 +41,8 @@ type IntegrityShieldReconciler struct {
4141
Scheme *runtime.Scheme
4242
}
4343

44-
// +kubebuilder:rbac:groups=core,resources=pods;services;serviceaccounts;services/finalizers;endpoints;persistentvolumeclaims;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
45-
// +kubebuilder:rbac:groups=core,resources=namespaces,verbs=get;list;watch;update;patch
46-
// +kubebuilder:rbac:groups=apps,resources=deployments;daemonsets;replicasets;statefulsets,verbs=get;list;watch;create;update;patch;delete
47-
// +kubebuilder:rbac:groups=monitoring.coreos.com,resources=servicemonitors,verbs=get;create
48-
// +kubebuilder:rbac:groups=apps,resources=deployments/finalizers,resourceNames=integrity-shield-operator,verbs=update
49-
// +kubebuilder:rbac:groups=core,resources=pods,verbs=get
50-
// +kubebuilder:rbac:groups=apps,resources=deployments;replicasets,verbs=get
44+
// +kubebuilder:rbac:groups=core,resources=services;serviceaccounts;events;configmaps;secrets,verbs=get;list;watch;create;update;patch;delete
45+
// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete
5146
// +kubebuilder:rbac:groups=apis.integrityshield.io,resources=integrityshields;integrityshields/finalizers;shieldconfigs;signerconfigs;resourcesigningprofiles;resourcesignatures;helmreleasemetadatas,verbs=get;list;watch;create;update;patch;delete
5247
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=*
5348
// +kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles;clusterrolebindings;roles;rolebindings,verbs=*

integrity-shield-operator/test/e2e/e2e_test.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -418,25 +418,25 @@ var _ = Describe("Test integrity shield", func() {
418418
framework := initFrameWork()
419419
var timeout int = 120
420420
expected := "test-configmap"
421-
By("Creating new namespace: " + test_namespace)
422-
cmd_err := Kubectl("create", "ns", test_namespace)
421+
By("Creating new namespace: " + test_namespace_new)
422+
cmd_err := Kubectl("create", "ns", test_namespace_new)
423423
Expect(cmd_err).To(BeNil())
424-
By("Creating test configmap in ns: " + test_namespace)
425-
cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace)
424+
By("Creating test configmap in ns: " + test_namespace_new)
425+
cmd_err = Kubectl("apply", "-f", test_configmap, "-n", test_namespace_new)
426426
Expect(cmd_err).NotTo(BeNil())
427427
Eventually(func() error {
428-
return CheckBlockEvent(framework, "no-signature", test_namespace, expected)
428+
return CheckBlockEvent(framework, "no-signature", test_namespace_new, expected)
429429
}, timeout, 1).Should(BeNil())
430430
})
431431
It("Signed resource should be allowed in new namespace", func() {
432432
framework := initFrameWork()
433433
var timeout int = 120
434434
expected := "test-configmap-annotation"
435-
By("Creating test configmap in ns: " + test_namespace)
436-
cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace)
435+
By("Creating test configmap in ns: " + test_namespace_new)
436+
cmd_err := Kubectl("apply", "-f", test_configmap_annotation, "-n", test_namespace_new)
437437
Expect(cmd_err).To(BeNil())
438438
Eventually(func() error {
439-
return CheckConfigMap(framework, test_namespace, expected)
439+
return CheckConfigMap(framework, test_namespace_new, expected)
440440
}, timeout, 1).Should(BeNil())
441441
})
442442
It("Resources in unmonitored ns can be created without signature", func() {

integrity-shield-operator/test/e2e/framework.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ var (
4848
kubeconfig_user = os.Getenv("KUBE_CONTEXT_USERNAME")
4949
ishield_namespace = os.Getenv("ISHIELD_OP_NS")
5050
test_namespace = os.Getenv("TEST_NS")
51+
test_namespace_new = os.Getenv("TEST_NS_NEW")
5152
test_unprotected_namespace = os.Getenv("TEST_UNPROTECTED_NS")
5253
shield_dir = os.Getenv("SHIELD_OP_DIR")
5354
deploy_dir = shield_dir + "test/deploy/"

ishield-build.conf

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ WATCH_NAMESPACE=integrity-shield-operator-system
3030
SHIELD_DIR=${ISHIELD_REPO_ROOT}/shield/
3131
SHIELD_OP_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/
3232
TEST_NS=test-ns
33+
TEST_NS_NEW=test-ns-new
3334
TEST_UNPROTECTED_NS=unprotected-test-ns
3435
ENVTEST_ASSETS_DIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin
3536
TEST_ASSET_ETCD=${ISHIELD_REPO_ROOT}/integrity-shield-operator/testbin/bin/etcd

shield/pkg/common/common.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,16 @@ const (
6767
LabelValueUnverified = "unverified"
6868
)
6969

70+
const (
71+
EventTypeAnnotationKey = "integrityshield.io/eventType"
72+
EventResultAnnotationKey = "integrityshield.io/eventResult"
73+
74+
EventTypeValueReconcileReport = "reconcile-report"
75+
EventTypeValueVerifyResult = "verify-result"
76+
EventResultValueAllow = "allow"
77+
EventResultValueDeny = "deny"
78+
)
79+
7080
type SignatureType string
7181

7282
const (

0 commit comments

Comments
 (0)